Mining Chat Logs from the Conti Group

DHS CINA COE, George Mason University

CINA Mentor: Isaac Gang

Faculty PI: Boyan Kostadinov, City Tech

Joseph Liu, Julio Rayme, City Tech

8/11/2022

The Conti Chat Logs

On February 27, 2022, just 3 days after Russia invaded Ukraine, an Ukrainian “cybersecurity researcher” angered by Russia’s invasion of his country, published a cache of chat logs with conversations between members of the notorious Russian-speaking ransomware group Conti.

The original JSON files in Russian can be found here:

Conti chat logs in Russian

A complete English translation of the Conti chat logs is also provided by Northwave Security, but it contains both English and Russian text and it is more difficult to work with.

The Conti Chat Logs in English

Bill Demirkapi, a computing security major at Rochester Institute of Technology, shared on Twitter a version of the Conti chat logs translated into English, which we used:

The Conti Chat Logs

The Conti data contains messages allegedly taken from a Jabber server that Conti used for instant messaging.

The leak contained 393 JSON files, each having 4 variables:

  • date: date the message was sent
  • from: user who sent the message
  • to: user who received the message
  • body: the text of the message

with 60,800 messages sent between 1/29/2021 and 2/27/2022.

Data Processing

We discovered that the 393 JSON files were not properly formatted and as a result of that we could not parse them. We found an online tool Jsonrepair that we used to repair the files.

Then, we were able to parse the JSON files, and we wrote a function to merged their content into a single dataframe.

We extracted the date (ymd) from the ts variable, and separated the user names from the onion emails in the data for both from and to variables, thus creating a dataframe with 4 variables and 60,800 observations.

Users who sent messages

The number of unique users who sent messages is 267 and the full list is given below:

Users who received messages

There are 71 users in the set difference \(\text{to} - \text{from}\), who received messages but never sent any messages. The number of unique users who sent messages is 335 and the full list is given below:

What is ransomware?

  • Malicious software that can either encrypt all of your data or lock you out of your computer.
  • Once the ransomware has infected your computer, it will ask you to pay a ransom.
  • Cyber attacks now have the potential to paralyze entire industry sectors and government agencies.
  • Multibillion-dollar “industry”.
  • Alternative attractive source of income in countries with economic instability.
  • Extorting payments using cryptocurrencies.

Ransomware Attacks

Alabama July 2019, The SpringHill Healthcare Center was struggling with a ransomware attack, heart rate monitors failed, fatally a newborn died. The first “death by ransomware”

Ransomware Attacks

July 2022

Ransomware attacks

  • AIDS: 1989, trojan, floppy disk, $189, US.

  • CryptoLocker: 2013, trojan, 0.5 BTC, $3 mill.

  • CryptoWall: 2014 $500 worth BTC.

  • SimpleLocker: 2014, android devices.

  • TeslaCrypt: 2015, trojan, $500 worth BTC.

  • Petya: 2016, $300 worth BTC.

  • Locky: 2016, email, doc file, 0.5-1 BTC.

  • Jigsaw: 2016.

  • WannaCry: 2017, worm, $300-$600, hundred of billions in damages, NK.

  • Bad Rabbit: 2017.

  • Cerber: 2016, phishing, $2.3 mill. don’t attack ex USSR countries.

  • Riuk: 2018, phishing, sophisticated.

  • Conti: 2020.

Conti

  • variant of ransomware

  • gain initial access to network through emails that contain malicious attachments or links

  • severe threat to and damage the system, namely by encrypting data on the victim’s computer

  • spreads to other computers on the same computer network

Conti Ransomware Group

  • Most prolific and costliest transnational ransomware group

  • The FBI estimates that as of January 2022, remain active and reported attacks against U.S. and international organizations

  • Payouts exceeding $150,000,000

Source: NJCCIC

Time series of daily messages

Spikes in activity

Most Sundays appeared to be days off, except for two Sundays. The biggest Sunday spike in activity took place on 12/12/2021 when 400 messages were sent. This correlates with the Conti ransomware attack on Shutterfly, which later disclosed that Conti deployed the ransomware on December 13th, 2021.

Almost 300 messages were sent on Sunday 01/23/22. The day after, On 01/24/22, a warning was released about a possible cyberattack on the U.S. from Russia, in the case that the U.S. interferes in their invasion of Ukraine. Reference

  • What happened between August 27 and September 2, 2021? (global max)
  • What happened on December 1, 2021? (almost 1000 messages)
  • What happened on October 22, 2021? (853 messages)

Distribution of messages

minimum q1 median mean q3 maximum
1 38 117 155 208 1289

Time-series of encrypted messages

minimum q1 median mean q3 maximum
1 20 66 76 120 269

REvil and Conti

There are 15,415 encrypted messages, which is about 25% of all messages.

March 19th 2021

The Acer ransom, the highest ransom ever was claimed by REvil! On March 18 2021, a REvil affiliate claimed on their data leak site that they had downloaded data from Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021. A $50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to $100 million if not paid by 28 March 2021. Remember that on March 19, 2021, Conti had the highest volume of encrypted messages, 269 encrypted messages were sent on that day! Reference

March 23-27, 2021

Conti had high volume of encrypted messages between March 23 and March 26 (around 300 encrypted messages). On March 27, 2021, REvil attacked Harris Federation and published multiple financial documents of the federation to its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.

June 9-11, 2021

On June 9, 2021, Conti had the second highest volume of encrypted messages, 229 encrypted messages were sent on that day. Chicago-based solar and wind developer Invenergy said that it has been hacked, following a recent trend in energy-data security breaches. Russia-linked hackers REvil claimed involvement in the breach. The attack was reported June 11 and is the latest in a series of hacks claimed on REvil’s dark web site, including recent attacks on Quanta, a Taiwanese supplier of Apple, and JBS, an industrial meatpacker. Reference

Who sends and Who receives the most encrypted messages

The from-to pairs with the most encrypted messages

Non-onion emails

Before being processed, the large majority of email addresses in this data set ended in the .onion extension. Such emails are hard to track.

However, there are 8 emails users who had email addresses ending in different extensions.

Unnesting messages into words

Websites

Mining bitcoin addresses

Who sent and Who received the most bitcoin addresses

Unique bitcoin addresses

Top pairs for bitcoin addresses

Users with most messages sent

Document-term analysis of key users

Wordclouds for key users

Wordclouds for key users

Wordclouds for key users

Distribution of message lengths

minimum q1 median mean q3 maximum
1 2 4 9.29 8 924

Longest messages

Correlation network

Network of top pairs of users

Centrality network for top users

Clustering into communities

Analysis of Bigrams

Extracting IP addresses

IP Addresses by Country

IP Addresses Across the Globe

IP Addresses by Country and City

IP Addresses in the US

A Map of IP Addresses in the US

A Map of IP Addresses in Europe

Network of Encrypted Messages

Bitcoin Centrality Network

Bitcoin Clustering Network

Future Investigations

Companies like Chainanalysis have been identifying wallets that are linked to criminal activity, such as Darknet transactions. Chainalysis’s most famous work was helping the FBI identify two rogue agents that had been stealing Bitcoins from the wallet of an online drug market operator.

Another company working on blockchain analysis software is California startup Ciphertrace. They have even gone as far as infecting their own systems with ransomware to track the coins that are used to decrypt the machines.

A YouTube video

The first time we saw this video in early June, it had 21 views only, but now the number is 425. The video was sent from many to revers on October 1, 2021. Google can filter the IP addresses of all people who viewed this video on that day.

Longest messages of Stern

Longest messages of Mango

Longest messages of Salamandra

Longest messages of Bio

Conti follows articles about Conti

Text from the article below:

was sent to stern by mango on July 16, just 2 days after it was published online. Conti probably follows:

Conti Org Chart

flowchart TD
  A[CEO: Stern] --> F(COO: Mango)
  A[CEO: Stern] --> B(HR: Salamandra)
  A[CEO: Stern] --> C(Blog: Bio)
  A[CEO: Stern] --> D(BuildMachine: Bentley)
  A[CEO: Stern] --> E(Encoded Comms: Defender)
  A[CEO: Stern] --> G(Revers Eng: Revers)

Stern:

  • The CEO of Conti
  • Tasking team leaders and paying teams’ salaries
  • Losing interest in ransomware, getting much more interested in crypto currencies, NFTs, and building a social network on their own private blockchain.

Mango:

  • The COO of Conti
  • Collects bitcoin addresses from team leaders and sends them to stern for payment
  • Makes sure to fulfill stern’s wishlist

Salamandra:

  • The HR, in charge of recruitment
  • Interviewing, onboarding and negotiating salaries with candidates and their roles
  • Using hh.ru for recruiting services, reviewing resumes, looking for the right coders

Bio:

  • Blogger and negotiator
  • Writes about their targets and captured information
  • Makes sure to provide the decryptor key to the victims once they pay the ransom

Alka Texts of Potential Value

mango->stern: Alka found contacts through relatives. My guys have excellent contact with the Russian diaspora in Brooklyn, we have our own chief judge there, what is the chairman of the court here - she immediately gave us her lawyer who is moving with her. All states have their own laws and, accordingly, lawyers. This one is specifically from Florida, he is local there, he seems to know everyone. At 5 in the morning he was blown up) all the data was given to him, he is already engaged. I told them this: we need to clarify the situation with all the latest news, find out who her lawyer is and what claims go to her, and so on, in general, for now, intelligence will try to get all the official papers that we have, and we will continue to think. We will try to make a victim out of her, got a job on the Internet, what she did and with whom she worked, she didn’t know, if the guys don’t let us down, we’ll pull her out or get the minimum possible. I’ll keep you informed.

mango->stern: Alka is transported from Florida to Ohai, she has a state lawyer because she doesn’t have money for her, as I understand it. We can get documents if our lawyer concludes an agreement with her for defense and will represent her. In order for him to start acting, you need to charge him 10k. And we need to think about how it is safe for him to send them to the US .. How and what’s next for now xs, everything is suspended there. Waiting for an answer.

mango->stern: look at the Alka what the hell.. she’s not an immigrant, she has all the relatives there, citizenship, and so on. there are 50 cases on it - episodes according to ours. passes like a Russian hacker, the case will most likely be political.

mango->stern: the couple with Alka lost a little, she’s not fucking young, she’s 55 years old))))) by Wednesday I’ll try to find an option how to send money to a lawyer, he began to rustle slowly, establishing contacts with her relatives for now. 55 may even be good, it will be easier to build a victim of circumstances ..

mango->stern: According to the professional - I spoke with him, he said that you yourself decide everything there and tell me what to do, as a result, there was no information from you or from him .. Bro, if possible, please pay a little more attention - I try to work on all your Wishlist, and you read everything through the line. and you ended up talking to him about the blockchain. I understand that the social network will be on the blockchain, but the development of the social network also needs coders - here he has them. As for the part of the blockchain, we will look for other people for this .. so, in the end, you didn’t talk to him for that at all, well, or I don’t understand something correctly in the tasks that you set Ebash here day and night on all fronts what you put, I want you to be happy with everything there, I constantly show some kind of initiative, and in the end you answer once a day at best .. And about the fact that he pulled up someone close - well, yes, he pulled it up, through his brother he found the right people to solve your problem. Nobody can do that to you online. And offline, I don’t think that you will find the same frostbitten guys who will agree to risk a normal white company with a good turnover and reputation, and even more than one in the end. I didn’t find it, and no one else would have found it, it’s not for you to buy coke on a hydra, there the private security service works like in the white house. It was just a fucking difficult task, and in the end we put the squeeze on it, bought it. I also promised the guys on my own behalf heifers and a sauna, because it really was, well, not very easy. The same goes for Alka - you set the task of solving her problem. I go out of my way to solve this, since I have good opportunities in this area - but again, this is all offline, through a trusted person in whom I am 100% sure. I perfectly understand that this is at least a thread to me. And I also understand my personal risks. But I do your request as for myself. In general, I try to solve all these very extravagant quests of yours. I worry about the results of the whole team as if they were my own. I get upset when negativity flies at the trick and I try to fix it all, fix it and finalize it .. I save your money like my own, I demand reports from everyone, I bargain with everything, I collect sanctions if there are such people for someone .. Everything is always clear on all financial issues and several times I unsubscribe to you what was spent where and how much, why and why.But I have a clear feeling that you are not interested in all this at all. I’m not an extrasensory. I can’t think of your cunning plan and all your wishes for you. Unsubscribe then tasks more precisely. I wrote about offline that I would do it through friends - I wrote this all the time. You didn’t say a word. And now you’re saying you can’t. We also talked about the budget of all these movements more than once - you wrote that ok, 50 60k norms suits you .. And then it turns out that you don’t need it anymore. I am writing that we have people whom we did not take into account earlier - I know that you do not have time for this, I decide the issue with them myself so as not to soar you and not beg for the next 3-5k, I unsubscribe everything to you and write down where and for what was spent - and you don’t even remember about it. You constantly make me think that you are not interested in what is happening here, that no matter how hard I try for you, I bring some results - and you fucking remember after 2 days about it .. “then, tomorrow, yes, ok” This for you, these are all trifles, but I lived here all my life until I organized and muddied all this. I will be so gray-haired in a year.

Other texts of value

Important: They want to build a social network for darknet users on the top of a private blockchain.

stern->mango: on social networks need movement

stern->mango there must be at least 1 million people on the social network

mango->stern therefore, I propose to use the social network at the initial stage, by the way, in order to create credibility and excitement - let it go by guarantee / vote

mango->stern: Bro prepared everything both on the social network and on articles for crypto contests, but there is a lot of information there, can it be uploaded somewhere in the archive?

mango->stern: I remind you once again that today left for Moscow time on your business, I’ll be in the late afternoon a sketch is ready on the social network, but I don’t know how relevant it all is, if necessary I will send it ..

stern->baget: write to mango@ he also makes a social network, you will be responsible for it too

mango->ghost: we make a social network primarily for ourselves and the community. in order to replace obsolete sites, etc., etc.

mango->ghost: the task is to make a social network so that the login password and private key. ita hacker. and all in one site. and how beautiful everything will be on the site - we will make an application out of it. And there, in general, the functionality will not be limited

mango->ghost: if you want to participate, write a report on some topic that is close to you, why it is, what are the prospects and how we can use it in the social network for darknet users)

mango->stern: And about the social network. Are we hiring people for this? Or just blockchain? The guy who wrote to you yesterday - he is not a blockchain developer, he has coders with php python, I thought they are needed for the social network, he wrote all this to you yesterday, but you probably didn’t read …

mango->stern: According to the professional - I spoke with him, he said that you yourself decide everything there and tell me what to do, as a result, there was no information from you or from him .. Bro, if possible, please pay a little more attention - I try to work on all your Wishlist, and you read everything through the line. and you ended up talking to him about the blockchain. I understand that the social network will be on the blockchain, but the development of the social network also needs coders - here he has them. As for the part of the blockchain, we will look for other people for this ..

mango->stern: I overclocked yesterday, fantasized fun functions, supposedly personal file storage, with the ability to share individual files, closed clubs of interest, entry into which would be considered by voting, open public groups for general discussion .. User reputation system to throw and intermediaries to eradicate and leave only really working guys .. You can also tie a bunch of services here, like the grandmothers did last week, when they gave the opportunity to spread the date to all hackers on their resources, even if they themselves and have nothing to do with their locker - any can put any date there for storage .. Here, under this social network, you can realize all your erotic fantasies in one place, both the exchange and file storage in the blockchain .. The works are gigantic volumes, without the experience of administration we ourselves will not pull, I think that we need to attract some kind of colleagues, like xss .. this will be the evolution of our underground into something more serious .. Uncles, think it all over, please, the topic is interesting, but very difficult.

More texts of value

stern->bloodrush: I’m addicted now, I’m interested in trading, defi, blockchain, new projects … everywhere there is an exhaust. And how boring everything is. I’m sure you’ll make your own there too. There is a big dream probably in this topic, I’m not sure that it is needed, but we will be useful to everyone. big companies have too many secrets that they hold on to, thinking that this is their main value, these patents and data.

stern->driver: Country Bot ID link: etrade.com login pass

bio->skippy: Do you really think that your information (more than 115 GB) is not worth that much money? Personal data of clients, financial statements of the company and so on are no longer interesting for DarkNet? I think you are wrong. But we can always check it by posting your information on the our blog and notifying Internet news agencies. I think the courts and competitors will quickly let you know about yourself.

mango->buza: I’m talking about exactly searching for contacts and collecting information and a person, breaking through social networks and so on … immediately collect information, as soon as they got stuck - we already had the necessary contacts, phones, their partners, and options for how to hit them [00:39:30] in ad_users there is all the info, there are all employees and their mails, surnames, etc. [00:39:33] and positions [00:39:45] then you need to do this [00:39:58] if you pick up the date - provide these contacts to us at least for study [00:40:27] Of course [00:40:31] We will immediately give out everything [00:40:33] everything you take from the network - everything that is useful to us for analysis would be cool of course [00:40:40] it is necessary to somehow coordinate everyone now [00:40:45] so that all this does not rest on us) [00:41:17] will you add me to the rocket? [00:41:19] must be terribly tinny. you spelled it correctly [00:41:23] let’s do it tomorrow [00:41:39] kk [00:41:44] timing is one thing, they need to be afraid of leaks [00:41:49] we need to study plums in more detail [00:42:03] and see what’s useful there, latest developments, etc., everything that can cost them money [00:42:05] yes, to study in detail the information that we pump out from them [00:42:10] and not just from the bold fill in the mega

Educational Materials

We created the initial versions of tutorials implementing the workflows that we developed for data analysis, text mining, natural language processing, visualizations, geographic maps and network analysis.

We have an R version based on Quarto notebooks, and a Python version also based on Quarto notebooks and RStudio. We developed more than 70 pages of instructional materials that we hope to be able to keep improving and expanding into proper hands-on tutorials and self-contained educational modules on the workflows we developed for investigating the Conti chat logs that can be applied to any other similar dataset.

Relevance to the Mission of the DHS

In addition to better understanding the command and control structure of the Conti group, we believe that there is some actionable intelligence in the data we mined from the Conti chat logs that could aid the DHS and other law enforcement agencies in identifying individuals behind the Conti group by tracking a subset of the 278 unique BTC wallet addresses used to make regular salary payments to the Conti members, especially when they access the bitcoins at BTC exchanges.

The information about the US citizen Alka held on unspecified charges (possibly hacking related) in Florida last year could prove to be quite valuable, given how important this 56 year old woman appears to be for the Conti leadership.

The 315 IP addresses, along with their geolocations, which we mined using a separate IP database from IP2Location, could also provide some useful historical information about the VPN servers they used, even though they probably stopped using them after their chat logs were released.

The group could possibly be infiltrated through their recruitment practices via https://hh.ru/.

Searchable Conti Database

IP Addresses by City

Extracting any non-letter characters

Mining dollar amounts

An encrypted message?

From defender to her/himself:

yvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fwa fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf wa yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy Wafa wa fyva fyv ayf vayvyfvayfv ayf va yfva fyva fyv ayf va yfva yfva yfv afy vafy va fyva fyv ayf va